Skip to main content
HashnodeCTF Writeup

Command Palette

Search for a command to run...

Writeup NodeClimb from DockerLabs

Updated
โ€ข3 min read
Writeup NodeClimb from DockerLabs
M
MindMeld7

I'm passionate about ethical hacking and constantly strive to improve my skills. I regularly solve CTF challenges to practice and expand my knowledge in cybersecurity.

You have two options: READ or WATCH me on YouTube as I complete this CTF Machine.

Do not press the Subscribe Button It is ILLEGAL ๐Ÿ˜๐Ÿ˜†๐Ÿ˜…๐Ÿ˜‚๐Ÿคฃ

https://www.youtube.com/watch?v=9dgguemkPhQ

Let's start our reconnaissance with a quick nmap scan:

nmap -p- --open -sV -sC -sS --min-rate=5000 -n -Pn 172.17.0.2 -oN Nmap1

-p- - Search for open ports

--open - List open ports

-sS - A quick scan mode

-sC - Use a set of reconnaissance scripts

-sV - Find the version of the open service

--min-rate=5000 - Makes the reconnaissance even faster by sending no fewer than 5000 packets

-n - No DNS resolution

-Pn - No ping

-oN - Save file name

As we can see, we have ports 21 and 22 open, but on port 21, anonymous login is allowed.

Let's log in with:

ftp 172.17.0.2
username: anonymous
password: *no password, just hit ENTER*

Once logged in, we can see one zip file called: secretitopicaron.zip

let's download it to our machine

get secretitopicaron.zip

Now we have the zip file on our machine, and we need to open it to check what we have inside.

But we have one problem: the zip file is protected with a password.

Let's try to find the password using the zip2john program to get the hash from the zip file, and the john program to decrypt the hash.

zip2john secretitopicaron.zip > hash

Now we have the hash, let's find the password with john.

The password is: password1

Lets open the file with :

unzip secretitopicaron.zip

Once unzipped, we have a file called password.txt. Let's open it.

cat password.txt

And we can see that we have one username and one password.

On the first scan with Nmap, we saw that port 22 (SSH) is also open. Let's try to log in with these credentials.

We have successfully logged in.

Privilege Escalation

sudo -l

Assume we can execute โ€˜nodeโ€™ command as root and script.js file locate in /home/mario/script.js

Let's go to GTFOBins Website and search:

node

On the GTFOBins website, we can see that we need to run the command:

sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'

But this is just for NODE. If you run it, you will get an error because you need to run the script.js file.

What we need to do is to copy just this code from GTFOBins:

require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})

Open the script.js file with nano and paste this code into script.js

Save the file with Ctrl+O and Ctrl+X to exit

Now just run the script with:

sudo /usr/bin/node /home/mario/script.js

And we are root

Thank you so much for reading this. Please don't forget to check out my YouTube channel and subscribe. Thank you all!

#ctf#hacking#dockerlabs#ethicalhacking#ctf-writeup

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

CTF Writeup

12 posts